JavaScript is one of the most popular programming languages used for web development and Node.js is a very popular choice among JavaScript developers for a back-end runtime environment. Many Node.js users commonly choose npm as a package manager for their environments. Node.js and npm are both open source technologies. It may come as a shock to many (and certainly a new developer like myself) that until recently, there were no checks in place to ensure that open source packages downloaded using npm were actually built from the same source code that is published. Typically, when installing packages, we are downloading and installing code that has already been compiled before it gets to us. Using a package manager like npm to install open source packages was performed on good faith that any packages downloaded would be from the original author.

I recently read an article from Wired discussing security concerns in regards to this vulnerability in open source packages. In recent years, cyber attacks have increasingly been aimed at open source software, including many which aim to disrupt supply chains. As much of the world relies on open source software as integral resources for development, this could potentially be a major problem.

Luckily, industry-wide code signing for open source is being implemented as a solution! Sigstore is an effort led by GitHub, which is owned by Microsoft, and developed in collaboration with the Linux Foundation, Google, Cisco, Red Hat, VMware, Purdue, and others. Sigstore provides security key management and verification, along with a transparent log of activity, which together create a secure chain of custody for open source software. This approach ensures that code being downloaded comes from the maintainers of those open source resources. As Sigstore continues to become widely adopted by the industry and open source developers/maintainers, it will continue to make open source software more secure.